NIST: Strategies to Mitigate Risk in the Federal ICT Supply Chain

Monday, May 07, 2012

The National Institute of Standards and Technology (NIST) has extended until May 25, 2012, the comment period for the second draft of a publication intended to help federal departments and agencies better manage supply chain risks for federal information systems.

The document provides a set of 10 practices intended to help federal departments and agencies manage the risk associated with the supply chain when purchasing and implementing information and communications technologies (ICT) products and services. This second draft, issued on March 23, 2012, reflects extensive revisions based on comments from the public on the first draft released in June 2010.

Federal information systems are increasingly at risk to both intentional and unintentional security risks introduced into their supply chain. “The supply chain risk is significant and growing,” according to co-author Jon Boyens, NIST senior advisor for information security. Improving the ICT supply chain is part of the Comprehensive National Cybersecurity Initiative.

The growing sophistication of technology and increasing speed and scale of a complex, distributed global supply chain leave government agencies without a comprehensive way of managing or understanding the processes from design to disposal, and that increases the risk of exploitation through a variety of means including counterfeit materials, malicious software or untrustworthy products.

NIST Interagency Report (NISTIR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems, is based on security practices and procedures published by, among others, NIST, the National Defense University and the National Defense Industrial Association and then expanded to include supply chain implications.

The new draft narrows the 21 prescriptive practices in the first draft down to 10 overarching practices that describe what is necessary for risk mitigation. ICT supply chain risk management is described in NISTIR 7622 as a multidisciplinary practice with a number of interconnected enterprise processes that, when performed correctly, will help departments and agencies manage the risk of using ICT products and services, Boyens explained.

The publication calls for procurement organizations to establish a coordinated team approach to assess the ICT supply chain risk and to manage this risk by using technical and programmatic mitigation techniques.

The authors seek comments on the document, to be sent to scrm-nist@nist.gov by May 25. Specifically, they are looking for comments on prioritizing the supply chain risk management components and what information described in the document has already been collected in response to other legislation, regulations and standards.

To help understand how the proposed process works, the authors would like reviewers to consider how the practices could be applied to recent and upcoming procurement activities and provide comments on the practicality, feasibility, cost, challenges and successes.